Re: [PATCH 1/1] udf: Fix null-ptr-deref in udf_write_fi()

From: Jan Kara
Date: Mon Jan 09 2023 - 04:46:38 EST


On Sat 07-01-23 22:50:16, Fedor Pchelkin wrote:
> udf_find_entry() can return NULL or an error pointer if it fails. So we
> should check its return value to avoid NULL pointer dereferencing in
> udf_write_fi() (which is called from udf_delete_entry()). Also, if
> udf_find_entry() returns an error pointer, it is possible that ofibh and
> ocfi structs hold invalid values which can cause additional problems in
> udf_write_fi().
>
> If udf_find_entry() returns an error pointer, udf_rename() should return
> with an error code. If udf_find_entry() returns NULL, ofi has probably
> already been deleted.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: 231473f6ddce ("udf: Return error from udf_find_entry()")
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot+8a5a459f324d510ea15a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx>
> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>

Thanks for the patch but I have already queued in my tree [1] rewrite of
UDF directory handling code that addresses multiple issues syzbot found in
directory handling and as far as I'm looking into the new code, this one
should be fixed as well.

[1] git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs.git for_next

Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR